Reporting
Highlighted

How to pass a time field parameter to a saved search?

Engager

I have a saved search which I would like to pass a _index_earliest=XXX parameter to. I am trying to make a search that will give information based on a specified time that can be configured by calling the saved search and then entering the specified time. For example, the call might look something like | savedsearch saved_search_name _index_earliest=xxx. I am aware that you can do this with host, but I am having trouble trying to do this with a time. I would be joining this search with another search that uses a different time, which is why I simply can't use the time set options provided in the drop-down.

0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

Esteemed Legend

This is common, you just user latest and earliest like this:

earliest=xxx latest=now() your search text

You can chain it like this:

outer search stuff with time set by timepicker | stats latest(_time) AS earliestTime | map search="earliest=$earliestTime$ latest=now() search inner search stuff"
0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

Engager

I am confused, where would the user pass in the value for earliest if it is getting the value from the stats latest (_time) function

0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

Esteemed Legend

By what method are you getting input from users? If I understand you correctly now, you would not use a saved search, you would use a macro (with the guts from your saved search) and then use the earliest=$earliest$ construct.

0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

Engager

Okay, so by that do you mean that the guts from my savesearch will be stored in a macro, and the earliest field will be left as "earliest=$earliest$" and so before anytime the user runs the query they would have to put in that date?

I orgianlly invisoned it being as simple as "| savedsearch savedsearchname host=$host$ (but instead of host earliest would be there). Then a user could just enter in the date without seeing all the inner workings of the query

0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

Esteemed Legend

Yes, that is exactly what I mean, by calling the macro like this:

... | `earliestmacro("December 24, 2015 23:59:59")`
0 Karma
Highlighted

Re: How to pass a time field parameter to a saved search?

SplunkTrust
SplunkTrust

Hi jwit,

You can pass parameters into saved searches from a dashboard... just not directly.

Replace your searchName with searchString using this:

 | savedsearch Perfmon_Processor_ProcessorTime_Total host=$host$

http://docs.splunk.com/Documentation/Splunk/6.2.1/SearchReference/savedsearch

If you want to use earliest, then you need to pass it as arguments to the | savedsearch command, within the search string, e.g., | savedsearch earliest=-24h@h.

Hope that helps ...

cheers, MuS